The State of Industrial Control Systems Security and National Critical Infrastructure Protection

Transcription

1 The State of Industrial Control Systems Security and National Critical Infrastructure Protection Emerging Threats Tinuade Adesina, Lulea University of Technology Sweden IT Security for the Next Generation European Cup, Prague February, 2012

2 Agenda National Critical Infrastructure Protection (CIIP) Industrial Control Systems (ICS) Challenges and Vulnerabilities of ICS The Evolution of cyber attack goals The Evolution of Cyber attack methods National CIIP in the European Union Questions

3 Brazilian Blackout Traced to Sooty Insulators, Not hackers PAGE 3 "IT Security for the Next Generation", European Cup February, 2012

4 Critical Infrastructure Critical Information Infrastructure as a Pillar of other CI s Transport Safety- Emergency Services Government Water Chemicals Food - Agriculture Defense Industrial base Healthcare Legal/Judicial Finance Research facilities Energy Information and Communications Technology Commercial Facilities PAGE 4 "IT Security for the Next Generation", European Cup February, 2012

5 Characteristics of Industrial Control Systems Challenges faced in ICS Security ICS components are distributed across distances via a communication network or media Deployed in unique environments Safety comes first CIA = AIC Industry standard is SRA = Safety Reliability Availability Remote access is commonly used to control components Human Operator input via HMI, software and hardware input on interrelated devices Interacting protocol stacks between endpoint devices PAGE 5 "IT Security for the Next Generation", European Cup February, 2012

6 Characteristics of Industrial Control Systems Common Vulnerabilities Weak network perimeters Vulnerability patching effort vs vulnerability disclosure is controversial (Siemens Simatic WinCC ) Exposure to traditional IT domain vulnerabilities: Man In The Middle attacks Buffer Overflows Vulnerable off the shelf code Improper cyber security practices : Password management Executive security ownership Operator security training Enforcement of compliance standards PAGE 6 "IT Security for the Next Generation", European Cup February, 2012

7 The Evolution of ICS Cyber Attack Goals Symantec,2010 common attack vectors vs reported incidents Turk,2005 Hactivism Steal electronic information Shut down or degrade computer networks Alter or destroy electronic information on network Manipulate physical equipment through control network Unknown Information or Electronic warfare Financial gain Audit or pern-test Software error Personal Curiosity(malicious or otherwise) User or administrator error Infect Malware 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% PAGE 7 "IT Security for the Next Generation", European Cup February, 2012

8 The Evolution of Cyber Attack Methods Sophisticated Malware and Network Discovery Stuxnet est. compile date : June 2009 Identified : June 2010 Kill date: 24 th June 2012 Duqu est. compile date : 3 rd November 2010 Identified: 1 st September 2011 Active lifetime : 36 days SHODAN : Expose Online Devices ERIPP: Every Routable IP Project PAGE 8 "IT Security for the Next Generation", European Cup February, 2012

9 Government as the chief stakeholder ICS Security within CIIP planning, The EU and the USA USA DHS Office of Cybersecurity &Communications National Protection and Programs Directorate US-CERT Control Systems Security Program (CSSP) European Union ENISA- Resilience Strategy National governments- sovereign structures The Networked Readiness Index ( OECD) PAGE 9 "IT Security for the Next Generation", European Cup February, 2012

10 National Critical Infrastructure Protection Plans Conclusion Measuring National CIP Activity Law mapping Critical Infrastructure environment Outlined National CIIP plan Active Regulatory Policies Documentation of efforts and guidelines Active CIIP projects Stakeholder engagement Information sharing and awareness programs Government Regulatory Body Vendor Operator PAGE 10 "IT Security for the Next Generation", European Cup February, 2012

11 What is your awareness of the critical infrastructure plans being discussed within your country? Symantec 2010 Critical Infrastructure Protection Global Study I am completely aware of the plans 33% I am somewhat familiar with the plans 22% I have heard of them, but I am not very familiar 20% It sounds vaguely familiar, but I cannot place it 9% I am completely unaware of these plans 16% Symantec, % 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% PAGE 11 "IT Security for the Next Generation", European Cup February, 2012

12 Conclusion What should we be doing? A Hierachy of Obligations Government Creation of national frameworks for CIIP and there in ICS Enabling cross border cooperation, national awareness programmes Regulatory bodies Information sharing- coordination among stakeholders Instituting compliance standards and guidelines on CII Vendors Enhanced built in security tools and design for ICS Cooperation with infrastructure providers on industry standards Infrastructure providers-system operators Security strategy review: risk awareness, vulnerability assessments, compliance management Endpoint defense in depth strategy PAGE 12 "IT Security for the Next Generation", European Cup February, 2012

13 Thank You Tinuade Adesina, Lulea University of Technology Sweden IT Security for the Next Generation European Cup, Prague February, 2012